Miggo Logo
Miggo Vulnerability Database
CVE-2023-34624

CVE-2023-34624:
htmlcleaner vulnerable to stack exhaustion

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-34624
GHSA ID
GHSA-jv4x-j47q-6qvp
EPSS Score
0.41251%
CWE
CWE-400
Published
6/14/2023
Updated
1/6/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
net.sourceforge.htmlcleaner:htmlcleanermaven< 2.292.29

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The stack trace in GitHub issue #13 shows repeated calls to markNodesToPrune() causing StackOverflowError. This indicates recursive processing without depth control. The vulnerability manifests when parsing HTML with deep nesting/cyclic references, as shown in the PoC. The Debian security advisory confirms the fix involved adding nesting depth limits, which would directly impact these recursive functions. While markNodesToPrune is clearly vulnerable (high confidence), addIfNeededToPruneSet is implicated in the stack trace but with less direct evidence of being the primary recursion driver (medium confidence).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** *tml*l**n*r t*rou** v*rsion *.** *llows *tt**k*rs to **us* * **ni*l o* s*rvi** or ot**r unsp**i*i** imp**ts vi* *r**t** o*j**t t**t us*s *y*li* **p*n**n*i*s.

Reasoning

T** st**k tr*** in *it*u* issu* #** s*ows r*p**t** **lls to `m*rkNo**sToPrun*()` **usin* St**kOv*r*low*rror. T*is in*i**t*s r**ursiv* pro**ssin* wit*out **pt* *ontrol. T** vuln*r**ility m*ni**sts w**n p*rsin* *TML wit* ***p n*stin*/*y*li* r***r*n**s,